SMusatov
/
ydb
mirror of https://github.com/ydb-platform/ydb.git


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457
							/*
 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
 *
 * Licensed under the Apache License, Version 2.0 (the "License").
 * You may not use this file except in compliance with the License.
 * A copy of the License is located at
 *
 *  http://aws.amazon.com/apache2.0
 *
 * or in the "license" file accompanying this file. This file is distributed
 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
 * express or implied. See the License for the specific language governing
 * permissions and limitations under the License.
 */

#include "tls/extensions/s2n_client_key_share.h"

#include "error/s2n_errno.h"
#include "pq-crypto/s2n_pq.h"
#include "stuffer/s2n_stuffer.h"
#include "tls/extensions/s2n_key_share.h"
#include "tls/s2n_kem_preferences.h"
#include "tls/s2n_security_policies.h"
#include "tls/s2n_tls13.h"
#include "utils/s2n_safety.h"

/**
 * Specified in https://tools.ietf.org/html/rfc8446#section-4.2.8
 * "The "key_share" extension contains the endpoint's cryptographic parameters."
 *
 * Structure:
 * Extension type (2 bytes)
 * Extension data size (2 bytes)
 * Client shares size (2 bytes)
 * Client shares:
 *      Named group (2 bytes)
 *      Key share size (2 bytes)
 *      Key share (variable size)
 *
 * This extension only modifies the connection's client ecc_evp_params. It does
 * not make any decisions about which set of params to use.
 *
 * The server will NOT alert when processing a client extension that violates the RFC.
 * So the server will accept:
 * - Multiple key shares for the same named group. The server will accept the first
 *   key share for the group and ignore any duplicates.
 * - Key shares for named groups not in the client's supported_groups extension.
 **/

static int s2n_client_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out);
static int s2n_client_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension);

const s2n_extension_type s2n_client_key_share_extension = {
    .iana_value = TLS_EXTENSION_KEY_SHARE,
    .minimum_version = S2N_TLS13,
    .is_response = false,
    .send = s2n_client_key_share_send,
    .recv = s2n_client_key_share_recv,
    .should_send = s2n_extension_always_send,
    .if_missing = s2n_extension_noop_if_missing,
};

static int s2n_generate_default_ecc_key_share(struct s2n_connection *conn, struct s2n_stuffer *out)
{
    POSIX_ENSURE_REF(conn);
    const struct s2n_ecc_preferences *ecc_pref = NULL;
    POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
    POSIX_ENSURE_REF(ecc_pref);

    /* We only ever send a single EC key share: either the share requested by the server
     * during a retry, or the most preferred share according to local preferences.
     */
    struct s2n_ecc_evp_params *client_params = &conn->kex_params.client_ecc_evp_params;
    if (s2n_is_hello_retry_handshake(conn)) {
        const struct s2n_ecc_named_curve *server_curve = conn->kex_params.server_ecc_evp_params.negotiated_curve;

        /* If the server did not request a specific ECC keyshare, don't send one */
        if (!server_curve) {
            return S2N_SUCCESS;
        }

        /* If the server requested a new ECC keyshare, free the old one */
        if (server_curve != client_params->negotiated_curve) {
            POSIX_GUARD(s2n_ecc_evp_params_free(client_params));
        }

        /**
         *= https://tools.ietf.org/rfc/rfc8446#4.2.8
         *# Otherwise, when sending the new ClientHello, the client MUST
         *# replace the original "key_share" extension with one containing only a
         *# new KeyShareEntry for the group indicated in the selected_group field
         *# of the triggering HelloRetryRequest.
         **/
        client_params->negotiated_curve = server_curve;
    } else {
        client_params->negotiated_curve = ecc_pref->ecc_curves[0];
    }
    POSIX_GUARD(s2n_ecdhe_parameters_send(client_params, out));

    return S2N_SUCCESS;
}

static int s2n_generate_pq_hybrid_key_share(struct s2n_stuffer *out, struct s2n_kem_group_params *kem_group_params)
{
    POSIX_ENSURE_REF(out);
    POSIX_ENSURE_REF(kem_group_params);

    /* This function should never be called when PQ is disabled */
    POSIX_ENSURE(s2n_pq_is_enabled(), S2N_ERR_PQ_DISABLED);

    const struct s2n_kem_group *kem_group = kem_group_params->kem_group;
    POSIX_ENSURE_REF(kem_group);

    POSIX_GUARD(s2n_stuffer_write_uint16(out, kem_group->iana_id));

    struct s2n_stuffer_reservation total_share_size = { 0 };
    POSIX_GUARD(s2n_stuffer_reserve_uint16(out, &total_share_size));

    struct s2n_ecc_evp_params *ecc_params = &kem_group_params->ecc_params;
    ecc_params->negotiated_curve = kem_group->curve;

    struct s2n_kem_params *kem_params = &kem_group_params->kem_params;
    kem_params->kem = kem_group->kem;

    POSIX_GUARD_RESULT(s2n_ecdhe_send_public_key(ecc_params, out, kem_params->len_prefixed));
    POSIX_GUARD(s2n_kem_send_public_key(out, kem_params));

    POSIX_GUARD(s2n_stuffer_write_vector_size(&total_share_size));

    return S2N_SUCCESS;
}

static int s2n_generate_default_pq_hybrid_key_share(struct s2n_connection *conn, struct s2n_stuffer *out)
{
    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(out);

    /* Client should skip sending PQ groups/key shares if PQ is disabled */
    if (!s2n_pq_is_enabled()) {
        return S2N_SUCCESS;
    }

    const struct s2n_kem_preferences *kem_pref = NULL;
    POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_pref));
    POSIX_ENSURE_REF(kem_pref);

    if (kem_pref->tls13_kem_group_count == 0) {
        return S2N_SUCCESS;
    }

    /* We only ever send a single PQ key share: either the share requested by the server
     * during a retry, or the most preferred share according to local preferences.
     */
    struct s2n_kem_group_params *client_params = &conn->kex_params.client_kem_group_params;

    if (s2n_is_hello_retry_handshake(conn)) {
        const struct s2n_kem_group *server_group = conn->kex_params.server_kem_group_params.kem_group;

        /* If the server did not request a specific PQ keyshare, don't send one */
        if (!server_group) {
            return S2N_SUCCESS;
        }

        /* If the server requested a new PQ keyshare, free the old one */
        if (client_params->kem_group != server_group) {
            POSIX_GUARD(s2n_kem_group_free(client_params));
        }

        /**
         *= https://tools.ietf.org/rfc/rfc8446#4.2.8
         *# Otherwise, when sending the new ClientHello, the client MUST
         *# replace the original "key_share" extension with one containing only a
         *# new KeyShareEntry for the group indicated in the selected_group field
         *# of the triggering HelloRetryRequest.
         **/
        client_params->kem_group = server_group;
    } else {
        client_params->kem_group = kem_pref->tls13_kem_groups[0];
        client_params->kem_params.len_prefixed = s2n_tls13_client_must_use_hybrid_kem_length_prefix(kem_pref);
    }

    POSIX_GUARD(s2n_generate_pq_hybrid_key_share(out, client_params));

    return S2N_SUCCESS;
}

static int s2n_client_key_share_send(struct s2n_connection *conn, struct s2n_stuffer *out)
{
    if (s2n_is_hello_retry_handshake(conn)) {
        const struct s2n_ecc_named_curve *server_curve = conn->kex_params.server_ecc_evp_params.negotiated_curve;
        const struct s2n_ecc_named_curve *client_curve = conn->kex_params.client_ecc_evp_params.negotiated_curve;
        const struct s2n_kem_group *server_group = conn->kex_params.server_kem_group_params.kem_group;
        const struct s2n_kem_group *client_group = conn->kex_params.client_kem_group_params.kem_group;

        /* Ensure a new key share will be sent after a hello retry request */
        POSIX_ENSURE(server_curve != client_curve || server_group != client_group, S2N_ERR_BAD_KEY_SHARE);
    }

    struct s2n_stuffer_reservation shares_size = { 0 };
    POSIX_GUARD(s2n_stuffer_reserve_uint16(out, &shares_size));
    POSIX_GUARD(s2n_generate_default_pq_hybrid_key_share(conn, out));
    POSIX_GUARD(s2n_generate_default_ecc_key_share(conn, out));
    POSIX_GUARD(s2n_stuffer_write_vector_size(&shares_size));

    /* We must have written at least one share */
    POSIX_ENSURE(s2n_stuffer_data_available(out) > shares_size.length, S2N_ERR_BAD_KEY_SHARE);

    return S2N_SUCCESS;
}

static int s2n_client_key_share_parse_ecc(struct s2n_stuffer *key_share, const struct s2n_ecc_named_curve *curve,
        struct s2n_ecc_evp_params *ecc_params)
{
    POSIX_ENSURE_REF(key_share);
    POSIX_ENSURE_REF(curve);
    POSIX_ENSURE_REF(ecc_params);

    struct s2n_blob point_blob = { 0 };
    POSIX_GUARD(s2n_ecc_evp_read_params_point(key_share, curve->share_size, &point_blob));

    /* Ignore curves with points we can't parse */
    ecc_params->negotiated_curve = curve;
    if (s2n_ecc_evp_parse_params_point(&point_blob, ecc_params) != S2N_SUCCESS) {
        ecc_params->negotiated_curve = NULL;
        POSIX_GUARD(s2n_ecc_evp_params_free(ecc_params));
    }

    return S2N_SUCCESS;
}

static int s2n_client_key_share_recv_ecc(struct s2n_connection *conn, struct s2n_stuffer *key_share, uint16_t curve_iana_id)
{
    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(key_share);

    const struct s2n_ecc_preferences *ecc_pref = NULL;
    POSIX_GUARD(s2n_connection_get_ecc_preferences(conn, &ecc_pref));
    POSIX_ENSURE_REF(ecc_pref);

    struct s2n_ecc_evp_params *client_params = &conn->kex_params.client_ecc_evp_params;

    const struct s2n_ecc_named_curve *curve = NULL;
    for (size_t i = 0; i < ecc_pref->count; i++) {
        const struct s2n_ecc_named_curve *supported_curve = ecc_pref->ecc_curves[i];
        POSIX_ENSURE_REF(supported_curve);

        /* Stop if we reach the current highest priority share.
         * Any share of lower priority is discarded.
         */
        if (client_params->negotiated_curve == supported_curve) {
            break;
        }

        /* Skip if not supported by the client.
         * The client must not send shares it doesn't support, but the server
         * is not required to error if they are encountered.
         */
        if (!conn->kex_params.mutually_supported_curves[i]) {
            continue;
        }

        /* Stop if we find a match */
        if (curve_iana_id == supported_curve->iana_id) {
            curve = supported_curve;
            break;
        }
    }

    /* Ignore unsupported curves */
    if (!curve) {
        return S2N_SUCCESS;
    }

    /* Ignore curves with unexpected share sizes */
    if (key_share->blob.size != curve->share_size) {
        return S2N_SUCCESS;
    }

    DEFER_CLEANUP(struct s2n_ecc_evp_params new_client_params = { 0 }, s2n_ecc_evp_params_free);

    POSIX_GUARD(s2n_client_key_share_parse_ecc(key_share, curve, &new_client_params));
    /* negotiated_curve will be NULL if the key share was not parsed successfully */
    if (!new_client_params.negotiated_curve) {
        return S2N_SUCCESS;
    }

    POSIX_GUARD(s2n_ecc_evp_params_free(client_params));
    *client_params = new_client_params;

    ZERO_TO_DISABLE_DEFER_CLEANUP(new_client_params);
    return S2N_SUCCESS;
}

static int s2n_client_key_share_recv_pq_hybrid(struct s2n_connection *conn, struct s2n_stuffer *key_share, uint16_t kem_group_iana_id)
{
    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(key_share);

    const struct s2n_kem_preferences *kem_pref = NULL;
    POSIX_GUARD(s2n_connection_get_kem_preferences(conn, &kem_pref));
    POSIX_ENSURE_REF(kem_pref);

    /* Ignore key share if PQ is not enabled */
    if (!s2n_pq_is_enabled()) {
        return S2N_SUCCESS;
    }

    struct s2n_kem_group_params *client_params = &conn->kex_params.client_kem_group_params;

    const struct s2n_kem_group *kem_group = NULL;
    for (size_t i = 0; i < kem_pref->tls13_kem_group_count; i++) {
        const struct s2n_kem_group *supported_group = kem_pref->tls13_kem_groups[i];
        POSIX_ENSURE_REF(supported_group);

        /* Stop if we reach the current highest priority share.
         * Any share of lower priority is discarded.
         */
        if (client_params->kem_group == supported_group) {
            break;
        }

        /* Skip if not supported by the client.
         * The client must not send shares it doesn't support, but the server
         * is not required to error if they are encountered.
         */
        if (!conn->kex_params.mutually_supported_kem_groups[i]) {
            continue;
        }

        /* Stop if we find a match */
        if (kem_group_iana_id == supported_group->iana_id) {
            kem_group = supported_group;
            break;
        }
    }

    /* Ignore unsupported KEM groups */
    if (!kem_group) {
        return S2N_SUCCESS;
    }

    /* The length of the hybrid key share must be one of two possible lengths. Its internal values are either length
     * prefixed, or they are not. */
    uint16_t actual_hybrid_share_size = key_share->blob.size;
    uint16_t unprefixed_hybrid_share_size = kem_group->curve->share_size + kem_group->kem->public_key_length;
    uint16_t prefixed_hybrid_share_size = (2 * S2N_SIZE_OF_KEY_SHARE_SIZE) + unprefixed_hybrid_share_size;

    /* Ignore KEM groups with unexpected overall total share sizes */
    if ((actual_hybrid_share_size != unprefixed_hybrid_share_size) && (actual_hybrid_share_size != prefixed_hybrid_share_size)) {
        return S2N_SUCCESS;
    }

    bool is_hybrid_share_length_prefixed = (actual_hybrid_share_size == prefixed_hybrid_share_size);

    if (is_hybrid_share_length_prefixed) {
        /* Ignore KEM groups with unexpected ECC share sizes */
        uint16_t ec_share_size = 0;
        POSIX_GUARD(s2n_stuffer_read_uint16(key_share, &ec_share_size));
        if (ec_share_size != kem_group->curve->share_size) {
            return S2N_SUCCESS;
        }
    }

    DEFER_CLEANUP(struct s2n_kem_group_params new_client_params = { 0 }, s2n_kem_group_free);
    new_client_params.kem_group = kem_group;

    /* Need to save whether the client included the length prefix so that we can match their behavior in our response. */
    new_client_params.kem_params.len_prefixed = is_hybrid_share_length_prefixed;

    POSIX_GUARD(s2n_client_key_share_parse_ecc(key_share, kem_group->curve, &new_client_params.ecc_params));
    /* If we were unable to parse the EC portion of the share, negotiated_curve
     * will be NULL, and we should ignore the entire key share. */
    if (!new_client_params.ecc_params.negotiated_curve) {
        return S2N_SUCCESS;
    }

    /* Note: the PQ share size is validated in s2n_kem_recv_public_key() */
    /* Ignore groups with PQ public keys we can't parse */
    new_client_params.kem_params.kem = kem_group->kem;
    if (s2n_kem_recv_public_key(key_share, &new_client_params.kem_params) != S2N_SUCCESS) {
        return S2N_SUCCESS;
    }

    POSIX_GUARD(s2n_kem_group_free(client_params));
    *client_params = new_client_params;

    ZERO_TO_DISABLE_DEFER_CLEANUP(new_client_params);
    return S2N_SUCCESS;
}

/*
 * We chose our most preferred group of the mutually supported groups while processing the
 * supported_groups extension. However, our true most preferred group is always the
 * group that we already have a key share for, since retries are expensive.
 *
 * This method modifies our group selection based on what keyshares are available.
 * It then stores the client keyshare for the selected group, or initiates a retry
 * if no valid keyshares are available.
 */
static int s2n_client_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
    POSIX_ENSURE_REF(conn);
    POSIX_ENSURE_REF(extension);

    uint16_t key_shares_size;
    POSIX_GUARD(s2n_stuffer_read_uint16(extension, &key_shares_size));
    POSIX_ENSURE(s2n_stuffer_data_available(extension) == key_shares_size, S2N_ERR_BAD_MESSAGE);

    uint16_t named_group = 0, share_size = 0;
    struct s2n_blob key_share_blob = { 0 };
    struct s2n_stuffer key_share = { 0 };

    uint16_t keyshare_count = 0;
    while (s2n_stuffer_data_available(extension) > 0) {
        POSIX_GUARD(s2n_stuffer_read_uint16(extension, &named_group));
        POSIX_GUARD(s2n_stuffer_read_uint16(extension, &share_size));
        POSIX_ENSURE(s2n_stuffer_data_available(extension) >= share_size, S2N_ERR_BAD_MESSAGE);

        POSIX_GUARD(s2n_blob_init(&key_share_blob,
                s2n_stuffer_raw_read(extension, share_size), share_size));
        POSIX_GUARD(s2n_stuffer_init(&key_share, &key_share_blob));
        POSIX_GUARD(s2n_stuffer_skip_write(&key_share, share_size));
        keyshare_count++;

        /* Try to parse the share as ECC, then as PQ/hybrid; will ignore
         * shares for unrecognized groups. */
        POSIX_GUARD(s2n_client_key_share_recv_ecc(conn, &key_share, named_group));
        POSIX_GUARD(s2n_client_key_share_recv_pq_hybrid(conn, &key_share, named_group));
    }

    /* During a retry, the client should only have sent one keyshare */
    POSIX_ENSURE(!s2n_is_hello_retry_handshake(conn) || keyshare_count == 1, S2N_ERR_BAD_MESSAGE);

    /**
     * If there were no matching key shares, then we received an empty key share extension
     * or we didn't match a key share with a supported group. We should send a retry.
     *
     *= https://tools.ietf.org/rfc/rfc8446#4.1.1
     *# If the server selects an (EC)DHE group and the client did not offer a
     *# compatible "key_share" extension in the initial ClientHello, the
     *# server MUST respond with a HelloRetryRequest (Section 4.1.4) message.
     **/
    struct s2n_ecc_evp_params *client_ecc_params = &conn->kex_params.client_ecc_evp_params;
    struct s2n_kem_group_params *client_pq_params = &conn->kex_params.client_kem_group_params;
    if (!client_pq_params->kem_group && !client_ecc_params->negotiated_curve) {
        POSIX_GUARD(s2n_set_hello_retry_required(conn));
    }

    return S2N_SUCCESS;
}

/* Old-style extension functions -- remove after extensions refactor is complete */

int s2n_extensions_client_key_share_recv(struct s2n_connection *conn, struct s2n_stuffer *extension)
{
    return s2n_extension_recv(&s2n_client_key_share_extension, conn, extension);
}